CERT-In Incident Note CIIN-2003-04
Exploitation of Internet Explorer Vulnerability
Original Issue Date: October 3, 2003
Severity : High
Affected System Software:
. Microsoft Internet Explorer 5.01
. Microsoft Internet Explorer 5.5
. Microsoft Internet Explorer 6.0
. Microsoft Internet Explorer 6.0 for Windows Server 2003
Overview
It has been reported that attackers are actively exploiting the Microsoft Internet Explorer vulnerability described in Microsoft Security Bulletin MS03-032 . Microsoft Internet Explorer (IE) will execute an HTML Application (HTA) referenced by the DATA attribute of an OBJECT element if the Content-Type header returned by the web server is set to "application/hta". An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user running IE
Impact
By convincing a victim to view an HTML document (web page, HTML email), a remote attacker could execute arbitrary code with the privileges of the victim
Description
The attackers are leveraging the vulnerability of Internet Explorer to cause victim systems to perform various tasks. These attacks include the installation of tools for launching distributed denial-of-service (DDoS) attacks and the use of the victim system's modem to dial pay-per-minute services thereby incurring significant expense to users. By convincing a user running a vulnerable version of Microsoft Internet Explorer (IE) to view an HTML document (e.g., a web page or HTML email), a remote attacker could execute arbitrary code with the privileges of the user. The vulnerability exists due to an interaction between IE's MIME type processing and the way it handles HTML application (HTA) files embedded in OBJECT tags. When an HTA file is referenced by the DATA attribute of an OBJECT element, and the web server returns the Content-Type header set to application/hta, IE may execute the HTA file directly, without user intervention. The HTML used to reference the HTA file can be created in at least three ways:
1. The HTML can be static
2. The HTML can be generated by script
3. The HTML can be generated by Data Binding an XML source to an HTML
The extension of the HTA file does not affect this behavior, for example <OBJECT DATA="somefile.jpg"> (where somefile.jpg is a text file containing HTML code).
IE security zone settings for ActiveX controls may prevent an HTA from being executed in this manner. Any program that uses the Web Browser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected, however recent versions of these programs open mail in the Restricted sites zone where ActiveX controls and plug-ins are disabled by default.
Solution
Apply patch
Apply the patch given in Microsoft Security Bulletin MS03-032. The cumulative patch referenced in the Microsoft Bulletin stops HTAs from executing in one case in which static HTML is used to create an OBJECT element referencing the HTA (1). The patch does not prevent HTAs from executing in at least two other cases in which the requisite HTML is generated by script (2) or by Data Binding (3). It is recommended that users and administrators take additional steps as given below to protect against exploitation. Additional steps
Disable ActiveX controls and plug-ins
Disabling the "Run ActiveX controls and plug-ins" setting can prevent OBJECT elements from being instantiated, thus preventing exploitation of this vulnerability. Disable "Run ActiveX controls and plug-ins" in the Internet zone and any zone used to read HTML email.
Apply the Outlook Email Security Update
Another way to effectively disable ActiveX controls and plug-ins in Outlook is to install the Outlook Email Security Update . The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.
Additional steps for expert users
Unmap HTA MIME type
Deleting or renaming the following registry key prevents HTAs from executing in the three cases listed above:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME \Database \Content Type\application/hta
Block Content-Type headers
Use an application layer firewall, HTTP proxy, or similar technology to block or modify HTTP Content-Type headers with the value "application/hta". This technique may not work for encrypted HTTP connections and it may break applications that require the "application/hta" Content-Type header.
Block mshta.exe
Use a host-based firewall to deny network access to the HTA host: %SystemRoot%\system32\mshta.exe. Examining network traces of known attack vectors, it seems that the exploit HTML/HTA code is accessed three times, twice by IE and once by mshta.exe. The HTA is instantiated at some point before the third access attempt. Blocking mshta.exe prevents the third access attempt, which appears prevent the exploit code from being loaded into the HTA. There may be other attack vectors that circumvent this workaround.
References
CERT/CC Incident Note IN-2003-04
http://www.cert.org/incident_notes/IN-2003-04.html
Microsoft Security Bulletin MS03-032
http://www.microsoft.com/technet/security/bulletin/ MS03-032.asp
eEye Digital Security Advisories and Alerts
http://www.eeye.com/html/Research/Advisories/ AD20030820.html
Secunia Advisory SA9580
http://www.secunia.com/advisories/9580/
Symantec Alerts
http://securityresponse.symantec.com/ avcenter/venc/data/ backdoor.coreflood.dr.html
http://securityresponse.symantec.com/ avcenter/venc/data/ download.aduent.trojan.html Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
